[Snort-users] a lot of Loopback traffic being logged.

rod rod at ...11862...
Fri May 28 03:36:22 EDT 2004


The box had several viruses + worms but blaster was the one that seemed
to cause the strange traffic.  Unfortunately tracking it down took a
while and often involves going from router to router following mac
address. Which in a large network is a pain. 

Sorry for the cross post but this is what pointed me in the right
direction at the beginning: 

http://www.securityfocus.com/archive/75/342726/2003-10-24/2003-10-30/0

On Thu, 2004-05-27 at 18:06, Alejandro Flores wrote:
> 	Hello Rod,
> 
> 	I think it's a good idea to document this. 
> 	What's the worm's name?
> 
> Regards,
> Alejandro
> 
> 
> 
> > We had this for a short while, finally tracked it down to a wormed box
> > on the other side of the router.  The router was letting src traffic
> > from 127.0.0.1 through to our public addresses, this has now been
> > corrected and the traffic has been stopped.
> > 
> > best regards
> > 
> > Rod
> > ________________________________________________________________________
> > 
> > On Fri, 2004-04-23 at 19:23, Chuck Holley wrote: 
> > > Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed
> > for a
> > > while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump
> > > 
> > > Im assuming im doing this right. Im trying to log only packets form
> > > 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and
> > write
> > > to a file called dump.
> > > 
> > > Now, I did this and got two loggings in tcpdump:
> > > 
> > > 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack
> > 799408129
> > > win 0
> > > 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack
> > 1316880385
> > > win 0
> > > 
> > > hal2 is the server that has tcpdump on it. Is this machine one of the
> > boxes
> > > that is sending out the 127.0.0.1, or did I simply pickup two packets
> > sent
> > > out form hal2 to these other machines. 
> > > 
> > > I looked at snort and the exact same ip's, with the exact same ports
> > were
> > > logged coming from 127.0.0.1
> > > 
> > > To say the least im confused even more!!
> > > 
> > > 
> > 
> > 
> > Hi, 
> >  I see it on my external interface too. I used tcpdump with -e parameter
> > to display MAC address of the sender. 
> > 
> > 
> > tcpdump -e -i eth1 src host 127.0.0.1 
> > 
> > 
> > I find that MAC address of loopback packets is my ISP's Cisco switch. 
> > 
> > 
> > So all packets come from external network (I think). I am connected over
> > wi-fi AP and when I sniffed, I have seen that these packets coming to 
> > most connected people in this AP. 
> > 
> > 
> > I don't know what it can be. 
> > 
> > 
> > Regards,
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: Oracle 10g
> > Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list